Ransomware that targets specific businesses and spreads itself using worm-like techniques were game changers this year as ransomware authors shifted focus to the business community in attacks that now cost an average ransom of $US544 ($A684) per endpoint, new research has warned.

Businesses accounted for 42 percent of all ransomware infections in the first half of this year, according to Symantec’s Ransomware 2017 Internet Security Threat Report. This represented a significant jump from the 30 percent figure last year, mainly on the backs of the high-profile WannaCry and Petya attacks – the latter of which has been credited with significant financial costs and business interruption at the likes of FedEx, Merck, Cadbury, and Maersk.

The findings – and the massive disruption caused by the recent attacks – are a wakeup call for security and business executives that have seen ransomware as being primarily a consumer issue, or no issue at all. Indeed, the recent Acronis Data Protection Survey of Australian Internet users found that 41.7 percent had never heard of ransomware like WannaCry and Petya, and 2.2 percent had been hit by the code.

That put Australian users ahead of those in 6 other comparable countries, with 50.7 percent of respondents overall saying they had never heard of ransomware. “People who have never heard of ransomware may be the targets for future attacks,” Acronis vice president for consumer and small business Gaidar Magdanurov warned in a statement.

There was a major disconnect between the value consumers placed on their data – fully 80.2 percent said they would only pay less than $50 to recover their data – and ransomware authors’ average expectation of a $684 ransom, as reported by Symantec. This reflects the growing shift towards business targets, where ransoms may be treated as a cost of doing business rather than a prohibitively expensive out-of-pocket cost.

The warnings about ransomware awareness come as security researchers this week reported new strains of ransomware, including warnings from Comodo Threat Intelligence Lab about a new wave of IKARUSdilapidated Locky ransomware that commandeers a target network’s computers to send out mass phishing emails.

Phishers were also taking advantage of the unfolding humanitarian crisis in Texas, where millions have been displaced by record floods due to Hurricane Harvey. Scammers wasted no time adapting their phishing attacks to lure potential ransomware customers with promises of ‘terrifying video’ or ‘donate to the relief effort’.

"Every time a major news event occurs,” Proofpoint vice president of product marketing Kevin Epstein said in a statement, “we see scammers use related headlines to lure unsuspecting victims into clicking on malicious URLs or attachments in both email and social media."

There was some good news in the Symantec research – the number of new ransomware families slowed in the first half of this year after more than tripling during 2016 – but the firm warns that this may be due to the ransomware market becoming dominated by “professional ransomware gangs” that are more likely to go where the money is. This is reflected in a jump in the number of ransomware variants – from 241,000 during all of 2016, to 176,000 in the first half of 2017 alone.

Those figures suggest that ransomware authors are focusing on tweaking successful attacks and targeting them against particular companies of interest. Yet even some of the newer attacks were showing innovation that could yet again catch businesses unawares: a new analysis by Sophos security research arm SophosLabs, for one, warned that more than half of the 8.5m suspicious Android applications they analysed had malware, including attacks that steal data; GhostCtrl mobile ransomware; and ransomware buried in copies of the popular game King of Glory.

Whether via mobile or more conventional devices, the evolving state of ransomware attacks is a reminder for businesses to be particularly aware of their exposure and how to limit it. Self-propagating ransomware can quickly become a financial and logistical nightmare, Symantec warned while noting that ransomware “is not a predictable threat and organisations who are complacent may be caught out.”

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.